Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

FortiPAM deployment options

FortiPAM deployment options

A full FortiPAM solution involves FortiPAM, EMS, and standard FortiClient. When both FortiPAM and FortiClient register to EMS, ZTNA endpoint control is available for secret launching and FortiPAM server access control. Both FortiPAM and the target server is protected by the highest security level.

When EMS is not available, standalone FortiClient is recommended. With standalone FortiClient, native launchers such as PuTTY, RDP, VNC Viewer, Tight VNC, and WinSCP can be used to connect to the target server and user can take advantage of functionalities provided by these applications. Also, video recording for user activity on the target server is sent to FortiPAM in real-time.

If FortiClient is not available, e.g., a user with Linux or MacOS system, Chrome and Edge extension called FortiPAM Password Filler is available on Chrome Web Store and Microsoft Edge Add-ons. On this extension-only setup, web-based launchers and web browsing are supported. The extension can record user activities on the target server.

On a system without FortiClient and browser extension, the user can still log in to FortiPAM and use the web-based launchers. However, all other features mentioned above are not available.

  1. If EMS (7.2.0 or later) is available:
    1. EMS Server:
      1. Enable Privilege Access Management-
        1. Navigate to Endpoint Profiles > System Settings.
        2. Edit the Default System Setting Profiles.
        3. Select Advanced and enable Privilege Access Management.

      2. Push FortiClient (7.2.0 or later) to registered PC-
        1. Navigate to Deployment & Installers > FortiClient Installer.
        2. Add a package with both Zero Trust Network Access and Privilege Access Management enabled on the third tab of the wizard.

        3. Navigate to Deployment & Installers > Manage Deployment and apply the FortiClient installer package to select endpoint groups.
    2. Windows: Download standard FortiClient (7.2.0 or later), and enable "ZTNA" and "PAM" functions during the installation. Full FortiPAM features are then supported.

      After FortiClient registers to EMS, EMS can automatically deploy the configured FortiClient version to Windows PC.

    3. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

  2. If EMS (7.2.0 or later) is not available:
    1. Windows: After downloading and installing standalone FortiClient (7.2.0 or later) manually, most PAM features are supported.

      Note: A standalone installer contains PAM in its filename such as FortiClientPAMSetup_7.2.0.0xxx_x64.exe.

      Note: ZTNA is not supported.

    2. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

  3. If FortiClient is not available (extension-only):
    1. Windows: Install FortiPAM Password Filler extension from the Chrome Web Store or Microsoft Edge Add-ons. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

    2. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

    Note: Chrome or Edge web browsers are suggested for use as there is some limitation on Firefox extension-only deployment.

Previous
Next

FortiPAM deployment options

A full FortiPAM solution involves FortiPAM, EMS, and standard FortiClient. When both FortiPAM and FortiClient register to EMS, ZTNA endpoint control is available for secret launching and FortiPAM server access control. Both FortiPAM and the target server is protected by the highest security level.

When EMS is not available, standalone FortiClient is recommended. With standalone FortiClient, native launchers such as PuTTY, RDP, VNC Viewer, Tight VNC, and WinSCP can be used to connect to the target server and user can take advantage of functionalities provided by these applications. Also, video recording for user activity on the target server is sent to FortiPAM in real-time.

If FortiClient is not available, e.g., a user with Linux or MacOS system, Chrome and Edge extension called FortiPAM Password Filler is available on Chrome Web Store and Microsoft Edge Add-ons. On this extension-only setup, web-based launchers and web browsing are supported. The extension can record user activities on the target server.

On a system without FortiClient and browser extension, the user can still log in to FortiPAM and use the web-based launchers. However, all other features mentioned above are not available.

  1. If EMS (7.2.0 or later) is available:
    1. EMS Server:
      1. Enable Privilege Access Management-
        1. Navigate to Endpoint Profiles > System Settings.
        2. Edit the Default System Setting Profiles.
        3. Select Advanced and enable Privilege Access Management.

      2. Push FortiClient (7.2.0 or later) to registered PC-
        1. Navigate to Deployment & Installers > FortiClient Installer.
        2. Add a package with both Zero Trust Network Access and Privilege Access Management enabled on the third tab of the wizard.

        3. Navigate to Deployment & Installers > Manage Deployment and apply the FortiClient installer package to select endpoint groups.
    2. Windows: Download standard FortiClient (7.2.0 or later), and enable "ZTNA" and "PAM" functions during the installation. Full FortiPAM features are then supported.

      After FortiClient registers to EMS, EMS can automatically deploy the configured FortiClient version to Windows PC.

    3. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

  2. If EMS (7.2.0 or later) is not available:
    1. Windows: After downloading and installing standalone FortiClient (7.2.0 or later) manually, most PAM features are supported.

      Note: A standalone installer contains PAM in its filename such as FortiClientPAMSetup_7.2.0.0xxx_x64.exe.

      Note: ZTNA is not supported.

    2. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

  3. If FortiClient is not available (extension-only):
    1. Windows: Install FortiPAM Password Filler extension from the Chrome Web Store or Microsoft Edge Add-ons. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

    2. Linux and MacOS: Install FortiPAM Password Filler extension from the Chrome Web Store or follow the FortiPAM GUI prompt. Then use web-based launchers or web launcher to access the target server.

      Note: ZTNA and Native launchers are not supported on extension-only systems.

    Note: Chrome or Edge web browsers are suggested for use as there is some limitation on Firefox extension-only deployment.

Previous
Next